You may have missed it, but the CMMC Accreditation Body (CMMC-AB) hosted their March Town Hall Meeting on Tuesday, March 29^th. The meeting lasted about an hour and covered several topics surrounding the CMMC. 

Topics included training and certification programs and the recent activities of the Defense Contract Management Association’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center, aka DIBCAC.

The team at SME wanted to share some of the most relevant, actionable information from the meeting with our customer base of DIB contractors.

It‘s important to note that DIBCAC is starting to do random assessments, look into compliance documentation, check SPRS scores, and ask for additional self-assessment documentation.

But what are the need-to-knows for Defense Industrial Base contractors?  

These are the issues from the CMMC-AB town hall that we’ll discuss in this post:

• What type of assessments will DCMA be conducting, and what do DIB contractors need to be aware of? 
• What are the compliance risks and required actions from contractors?
• Where can DIB contractors go for questions and clarification?

So let’s get started with some important notes from the town hall meeting. The full meeting notes are available from the CMMC-AB:

Mr. DelRosso (DCMA/DIBCAC spokesman) then provided an update on medium assessments, which the DCMA DIBCAC is initiating to provide acquisition insight into the DIB. They are a paper-based drill and will be of minimal impact to contractors. They will be used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met. The DCMA will look at high scorers and low scorers and see if there is any pattern that can be identified based on scores and sectors of the DIB to get a real understanding on what is going on. The DCMA DIBCAC will be checking some of these SSPs soon to get a sense of compliance within the ecosystem.

The medium assessments have started rolling out. It might be helpful to understand the difference between medium versus high assessments:

• Medium assessments – paper-based review used for companies who self-attested at a variety of levels and will include a review of System Security Plan (SSP) descriptions of how each requirement is met.
• High assessments – a medium assessment but a higher level review of documentation that is submitted which follows more methodologies

Here’s what you need to be aware of—if your organization has submitted a Supplier Performance Risk System (SPRS) score based on self-assessment, you still need to have a detailed system security plan (SSP) in place and available to DIBCAC personnel. 

In fact, the absence of an SSP could invalidate your score, according to NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1:

i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that  ‘an assessment could not be completed due to incomplete information and  noncompliance with DFARS clause 252.204-7012.’

So what are the compliance risks and required actions for DIB contractors?

You never want to be at risk with DCMA/DIBCAC compliance. You could be subject to invasive document review requests, DCMA Corrective Action Requests (CARs), and ultimately disciplinary actions, loss of contracts, status revocations, etc.

When industry-tested, professional, cost-effective solutions are readily available, who needs any of that?

Where can DIB contractors go for questions and clarification?

If you don’t have a system security plan in place, get in touch with our team today.

You still have time to get all of your documentation in place.

With our DIB-contractor-tested Compliance Management Platform, we can crosswalk from NIST 800-171 to CMMC and DIBCAC medium assessments. We’ll help you identify any gaps. Our team of Registered Practitioners will work with your team to build an SSP and an accurate, compliant SPRS Score.

As a designated CMMC-AB Registered Provider Organization (RPO), SME is uniquely positioned to provide pre-assessment advice, consulting services remediation, and compliance recommendations to government contractors.

SME takes a different, more efficient approach to help our DIB clients achieve compliance. When you partner with us, you get a dedicated engineer who will help you build an action plan for a DCMA DIBCAC medium assessment.

At SME, we have a team of experts with all the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.  

Right now we’re offering a no-obligation SSP assessment at no cost to you. 
Call us at 703-378-4110. Schedule Your Free SSP Assessment Today!

Those are two great questions. And we’re going to provide some answers. 

We’re also going to discuss a nexus between CMMC certification and cyber insurance audit requirements that may enable you to kill two birds with one stone. 

In this post, we’ll drill down into these three critical aspects of cyber insurance:

• What is cyber insurance, and how does it work? 
• What are the business benefits?
• Are there similarities between CMMC certification and cyber insurance audit requirements?

So what is cyber insurance, and how does it work?

Let’s start with a great definition from the liability experts at Hiscox Group:

A cyber insurance policy is designed to cover privacy, data, and network exposures. The list of regulations and statutes continues to expand regarding the use and protection of cyber security information, as well as notification requirements in the event of a breach. As cyber exposures continue evolving, so will your need to ensure that your business is protected if a cyber attack occurs.

Cyber insurance policies can vary from hundreds of dollars per year to tens of thousands. The cost of the policy will depend on a number of factors, including:

• Type, quantity, and sensitivity of the information 
• Size of the IT enterprise—number and locations of servers, storage devices, etc.   
• Type and number of data and user access points and controls—web, employees, contractors, etc.
• Current security vulnerabilities, etc.

Do the business benefits of cyber insurance outweigh the costs?

That depends on your business. Cyber insurance provides security breach and incident coverage over and above your general liability and professional liability insurance coverage. You can also design your policy to cover breach recovery costs, ransom and extortion costs, breach notification costs, loss of income, etc. Businesses should customize their policy to balance potential vulnerabilities and liabilities.

Additional business recovery costs can include hiring consultants to help with data recovery, replacement hardware and software, general IT consulting services, public relations costs, repairing a damaged business reputation, etc.  

Some things that you’ll want to ask your insurance company about, related to costs that might not be covered, include:

• Third-party lawsuits
• Legal fees in general
• Intentional, negligent acts on your company’s part
• Property damage or physical injury
• Acts of terrorism

Cyber insurance can be an extremely effective weapon against cyber crimes and data breaches. But it’s up to you and your team of IT security experts to find the right policy to fit with your overarching security management framework and infrastructure.  

Are there similarities between CMMC certification and cyber insurance audit requirements?

The short answer to that question is yes. There is no absolute requirement standard for DoD contractors or related businesses to become CMMC certified or to buy cyber insurance at this time. But, as we point out in a recent post, CMMC compliance requirements are an inevitable reality. CMMC implementation timelines may also be moving closer than the original target date of October 2025.

The right cyber insurance policy might also be a powerful, cost-effective tool in your cybersecurity armament. 

Both CMMC certification and the implementation of cyber insurance require an audit of your current security practices, policies, and infrastructure.  

So we’re offering a complimentary initial security assessment for DoD small businesses, contractors, and subcontractors. This is an excellent opportunity to assess your cybersecurity environment for CMMC certification and cyber insurance at the same time.   

And we’re providing the initial assessment at no cost to you.

At SME, we have a team of experts with all of the extensive experience and certifications that it takes to keep up with today’s incredibly fast-paced world of cybersecurity. We are laser-focused on information security, so you don’t have to be.  

Are cybersecurity issues and potential threats keeping you up at night? Do you have questions about CMMC requirements for DoD contractors and small businesses? Let us handle your information security so you can focus on growing your business. 

Take advantage of our no-obligation CMMC certification and cybersecurity insurance readiness assessment with no obligation and no cost to you. 

Call us at 703-378-4110 Schedule Your Free Cybersecurity Assessment Today! 

As a DoD contractor, you already know the road to CMMC compliance is full of twists and turns. Now, amid concerns about the costs and complexities of the process, the DoD has overhauled the Cybersecurity Maturity Model Certification once again, launching CMMC 2.0 in November.

CMMC 2.0 is the DOD’s efforts to streamline and improve earlier CMMC compliance requirements, specifically by revamping the five maturity levels into three. CMMC 2.0 maintains the program’s original mission of protecting sensitive information, but offers several other advantages for some government contractors:

• Simplifies the standards.
•  Minimizes barriers to compliance.
• Sets priorities for protecting DoD information.
• Provides additional clarity on regulatory, policy, and contracting requirements.
• Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
• Increases department oversight.

Collapse and Streamline of Levels

CMMC 2.0 still has a level 1, 2, and 3, but they are very different than the levels of CMMC 1.0. Levels 2 and 4 have been eliminated. Here’s a brief overview of what the new levels look like.

Level 1 mostly stays the same with 17 practices requirements, but third-party assessments are no longer required. Instead, an annual self-assessment will be required to certify compliance.

Level 2 (formerly level 3 in CMMC 1.0) will be aligned with the full 17 NIST 800-171 practices but eliminates all CMMC unique practices and processes. Assessments for Level 2 will be triennial third-party assessments for critical national security information and annual self-assessments for select programs.

Level 3 (formerly level 5 in CMMC 1.0) will use a subset of 100+ NIST 800-172 practices. Level 3 will require triennial government-led assessments.

The Interim Rule Is Still In Effect!

The Interim Rule is still in effect! NIST 800-171 Self-Assessment, SSP, POAM, and SPRS Score still stand. However, the timeline for contracts to include the CMMC level may possibly change from 2025 to 2023.

Confused yet? With the introduction of CMMC 2.0, it’s time to take a look at where you are now, what the new changes mean for your company, and where you need to go. SME can help you better understand 2.0 and how you can competitively position your organization by developing a plan on how to get there.

Cybersecurity is no joke. And that’s just the message that the Department of Justice (DOJ) is sending with its creation of the Civil Cyber Fraud Initiative. This initiative allows the DOJ to use civil enforcement of the False Claims Act (FCA) against government contractors and grant recipients who fail to follow required cybersecurity standards, jeopardizing U.S. information and infrastructure.

All government contractors should take this initiative very seriously. Failure to adopt and maintain cybersecurity best practices can mean reimbursing the government and taxpayers for losses incurred if your company fails to satisfy your cybersecurity obligations. In fact, for the fiscal year ending September 30, 2020, the DOJ collected more than $2.2 billion in settlements and judgments from civil cases involving fraud and false claims against the government.

SME can help you avoid DOJ scrutiny and potential FCA claims with our trusted cybersecurity tools that meet federal standards and regulatory obligations. We can help you implement a cybersecurity hygiene strategy so you can avoid FCA enforcement.

Give us a call at 703-378-4110 if you’re ready to learn more about how SME can help.

By now, DoD contractors already mired in the complexities of Cybersecurity Maturity Model Certification (CMMC) know one thing for certain: the process takes time—anywhere from six to 12 months, depending on the maturity of your company’s security level, policies, and procedures. If you want to continue to win government contracts, and you haven’t started the CMMC process yet, it’s crunch time, and a last-minute cram session won’t cut it in this case. 

There is a LOT that goes into the CMMC certification process. While not all DoD contractor’s compliance journeys will be the same, those who are ahead of the game have some valuable insights that every organization can apply. To help ensure you start your CMMC efforts off on the right foot, here are some lessons learned by Certified Third-Party Assessor Organizations (C3PAOs).

Don’t Skimp on Standard Operating Procedures (SOP)

At CMMC Level 2, organizations are required to document a system security plan, practices, and policies that allow staff to perform processes that are repeatable and consistent. Best practices show that having robust, detailed, step-by-step procedures, including a well-defined purpose, scope and roles and responsibilities for each activity, is important for a successful CMMC.   

Make an Incident Response Plan a Priority

Also high on the list of lessons learned is establishing a formal and proactive Incident Response (IR) plan and regularly test the plan to increase your organization’s ability to respond to security incidents.

Know Your Network Inside and Out

Get to know your network—and the people who use it—intimately! Start by performing an audit to accurately assess your network devices and approve all of the devices connected to your network, the applications and software they are running, including your email system, and create a list. And, know your data stored on your network. CMMC focuses mainly on protected controlled unclassified information (CUI) which can include software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, to name a few.

Get a Grip on Daily Cybersecurity Hygiene

Checking in on your organization’s cybersecurity measures everyday isn’t just a suggestion, but a must. And it’s much more than protecting passwords and telling employees not to click on phishing links. There are 5 levels of CMMC cybersecurity hygiene, each with their own requirements. One way to get a handle on daily cybersecurity hygiene—and show your due diligence—is through a dashboard-driven tool like SME’s state-of-the-art Compliance Management Platform, that gives you the visibility you need to know the real-time status of all your programs.  

Need CMMC Assistance?

If you bid on DoD contracts, don’t wait any longer to start your CMMC certification process. SME will work with you to prepare and navigate CMMC and help you maintain your maturity levels. Give us a call at 703-378-4110 or email info@smeinc.net.

The Internet of Things, or IoT devices are great! Not only do they provide automated, seamless assistance to normal, everyday life; they also make life simpler. Can’t remember if you locked the door before leaving? Open up the app for your Smart Door Lock and engage the lock. Want to make sure the house is the perfect temperature when you arrive? Smart thermostats like Nest, Ecobee, or HoneyWell can give you the ability to turn on the heat or AC before you even walk through the door; and who doesn’t like the sound of being able to make sure dinner is cooking and will be ready for when you get home from work? There’s a Smart Crockpot for that! Yes, seriously! Even a large majority of the TV’s sold in stores are Wi-Fi enabled.

As convenient and simple as these types of devices can make our everyday lives, they can also be something of a double edged sword, as they can come at a price that’s significantly higher than what the device itself actually costs. As with many of the electronic and internet enabled devices that we use in everyday life, IoT devices require a certain level of security, and ignoring this aspect when it comes to your IoT devices can do much more harm than good. 

How IoT devices Can Make Us More Vulnerable

As with any device that connects to a network, hackers can use IoT devices to gain access and even a long standing foothold into your network, and this can happen from even the most unexpected of devices. Unfortunately, many of us are more concerned with getting these cool, new devices, getting them configured, and setup on the network so that we can start using them immediately; and as a result put the idea of securing the devices on the back burner. 

So what exactly can be done to secure these IoT devices? Actually, there is quite a bit that can be done!

Use Your Own Network, Avoid Public Wi-Fi

It should go without saying that if you’re planning on trying out that new Wi-Fi enabled toaster, don’t connect it to a public Wi-Fi network. In the rare, off chance that you absolutely have to connect the device to a public network, use a Virtual Private Network (VPN).

Setup and Use a Guest Network

Guest networks are simple to set up and configure and provide an extra layer of security to your network. This is especially true in the case when you have visitors who want to use your Wi-Fi, either at home or in the office. The guest network can provide them with access to the network and of course to the internet, but it secludes them from entering into the main network so they can’t actually access any of the other devices or system connected to the main network. 

It’s recommended to also use a guest network for your IoT devices, such that in the off chance that one of the devices is indeed compromised, then the threat actor (hacker) will be trapped within that guest network and unable to access your personal devices on the main network.

Always Reconfigure Every IoT Device

Whether you receive it as a gift or purchase it as soon as it hits the shelves, every IoT device that you plan to connect to your network needs to be reconfigured during setup. This doesn’t mean you have to take the device apart to “hack it”, all this simply means is setting up a strong, complex, and secure password for the device, as well as the email or federated login account you’re using to set up the device.

Use Strong Passwords

Just as we mentioned above, make it a habit of using strong, complex passwords for all the devices that you connect to your network and the accounts that you may end up creating for these devices. People often have a tendency of reusing the same password for many of their devices and accounts, what is even worse is the fact that most of these passwords are simple, and can either be easily guessed, or cracked by hackers.

Also make a habit of using Two-Factor Authentication (2FA) if the account or device allows it. 

Always Know What Is Connected to Your Network. 

It should go without saying that you should always be cognizant or aware of what devices are connected to your network. Many of today’s wireless network routers come with easy to access and user friendly administrative interfaces that can be used to find out exactly what devices are connected to your network. However there are some routers that are setup and configured using an app, and these apps also allow the same type of administrative check. 

Ensure Devices are Updated

When initially setting up a new IoT device, always make sure to check and see if it has any current software/firmware updates that can be applied. Also, another even more helpful feature to have is auto-updates, so if the device has this capability, enable it. Be sure to make a habit of checking to see if the device needs updating. 

IoT devices and the technology that drives them have a seemingly unlimited potential to assist us in our daily lives, but do not disregard the risks. You can purchase the most highly rated, most expensive IoT device on the market that was created by the top companies in that field, but at the end of the day, the security of IoT devices and that of your network is up to your and the amount of time and level of protection that you are willing to take. 

Ransomware, phishing, password cracking, social engineering—these are all REAL threats, and they are only getting worse as cyber criminals get better. If you are a DoD contractor, it’s time to get your staff on the same security page. If your staff isn’t trained in cybersecurity hygiene, then they’re putting your entire organization at risk.

As part of the CMMC compliance, Security Awareness and Training (AT) is one of the 17 domain requirements that companies looking for CMMC maturity certification level 2 or higher have to meet before working on government contracts. 

The requirement means that you have to have an effective cybersecurity training program in place. There are five AT practices broken into two capabilities: C011 Conduct Security Awareness Activities and C012 Conduct Training. Here’s a look at how the practices are broken out.

C011 includes two practices:

AT.2.056: Cybersecurity awareness training for all users

This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.

Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company’s security policies and the contact information of its security department.

AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats

Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.

C012 includes these four practices:

AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.

Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).

AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered. (Meant for certification levels 4 or higher)

To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.

AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training. (Meant for certification levels 4 or higher)

This practice is designed to enhance a contractor’s security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.

How you get trained is important too. SME’s CMMC experts are Certified Security Awareness Practitioners, or CSAP. Our security awareness training program includes everything you need to select the right content, deploy your training, and obtain detailed reporting on progress and completion. Don’t put off this important CMMC certification requirement. Our training programs are easy to arrange and affordable. Start your Security Awareness and Training domain requirement today!

The Cybersecurity Maturity Model Certification program (CMMC) is ramping up this summer—even though approved CMMC Third-Party Assessment Organizations (C3PAOs) are in short supply and timelines are ever evolving. These hiccups might have you thinking you have all the time in the world to start your CMMC certification. Unfortunately, that assumption just isn’t correct.

CMMC isn’t going away. Though the organizations waiting to receive their C3PAO status are stacking up, so are the thousands of DoD contractors who are waiting to achieve CMMC certification. Having the right controls in place isn’t just something you can wing, or pencil whip your way around. Now is the time to save your place in line so you don’t miss out on opportunities for government contracts.  Here are five steps you can take now to get you closer to CMMC compliance.

Get to Know Your Data

Not every piece of data that resides in a contractor’s IT systems is classified—and it doesn’t have to be. In fact, CMMC largely focuses on protecting controlled unclassified information, or CUI. CUI data covers a wide range of information, including software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, and much, much more.

Test Your Backups

Are you prepared to recover from an event that might compromise the integrity or availability of your data? Backing up all content—not just CUI—is a CMMC requirement. A loss of data can significantly impact your operations, and, depending on CMMC level, impact national security. Now is the time to test your backup systems and determine their functionality.

System recovery is a key focus of CMMC, specifically the ability to recover from any event that compromises the integrity and availability of data. The requirement is to backup all content, not just controlled unclassified information (CUI) and other critical content.

Create an Incident Response Plan

Speaking of recovering from an event, contractors with level 2 or higher CMMC requirements must have an incident response plan in place that proves your ability to detect, respond, analyze, report, and test incidents.

Practice Daily Cybersecurity Hygiene-That Means Everybody

CMMC success starts with every single person in your organization practicing cyber hygiene at all times. From the front desk to the C-Suite, ensuring cybersecurity in your government contracting business is everyone’s responsibility. This goes beyond checking off the usual boxes of password updates and identifying phishing emails. Your firm needs to be right 100% of the time for cybersecurity. Attackers only need to be right one time—that one time they are able to detect a weakness and move in for the kill.

There are 5 levels of CMMC cybersecurity hygiene, and each has its own requirements. Level 1 is basic cyber hygiene and includes 17 practices from NIST standards that companies should already be practicing when working for the DoD. They go up from there to Level 5, which includes 171 practices. These organizations have an advanced, progressive cybersecurity system in place and can assess and prevent advanced threats.

Even if CMMC wasn’t a requirement for DoD contractors—you should be practicing cybersecurity hygiene anyway! With high-profile ransomware and leakware attacks making the headlines in increasing fashion, it’s not a matter of if, but when a compromise will take place.

Communicate with your Subcontractors

In addition to your own internal team, getting your subcontractors on the same page is also crucial to CMMC success—and it’s a requirement. Weaknesses in the DoD supply chain are most prevalent several levels down from the prime contractor. If you are a prime, know this: you are obligated to educate your subcontractors on the proper CMMC requirements and where CUI lives on your systems so they can begin their CMMC journey as well.

With thousands of DoD contractors already waiting to achieve CMMC certification, you don’t want to find yourself at the back of the line. No matter where you are in the process, SME can help you navigate the process. We’re experts in CMMC certification requirements and implementation. Give us a call at 703-378-4110 or email info@smeinc.net.

Cybersecurity and Compliance Made Easy

Do you have a compliance action plan in place? With 171 sub-controls across five levels, CMMC compliance can seem overwhelming—even more so for contracts with higher level requirements. SME’s Compliance Management Platform makes compliance easy for DoD contractors to maintain their eligibility.

What is SME’s Compliance Management Platform?

Our state-of-the-art Compliance Management Platform is a dashboard-driven tool that helps your organization crosswalk from NIST 800-171 to CMMC, at any maturity level. The platform gives you the visibility you need to know the real-time status of your programs—across all lines of business—and makes it easy to assess, build, manage, connect, and report all of your cybersecurity functions. Here’s a look at some of the features.

Assessment Manager

Predefined or customized templates. The questionnaire-based Assessment Manager in SME’s Compliant Management Platform allows you to evaluate your cybersecurity posture quickly and easily. You can fast track assessments using the Platforms’ predefined templates or customize your own to match your unique needs.

One click-reporting. The reports feature improves visibility for all your stakeholders including auditors, executives, and Board of Directors. And, you can transfer the results of your assessment to a program to get a head start on compliance, management, and remediation.

Create a full program. Transfer your completed assessment results and evidence into a full program. There you can manage remediation tasks and workflows, monitor compliance progress and budgets—and create additional reports.

Harmony

As your cybersecurity program matures, the Harmony feature of the Platform makes it easy for you to add and manage multiple frameworks as one mapped program without duplicating your efforts. This means you can consolidate thousands of sub controls from an entire library of frameworks, making your cybersecurity and compliance efforts much more efficient. In fact, you could see a reduction in cost, time and effort by 60% and gain a head start on compliance with:

 Unlimited combinations. Crosswalk frameworks in unlimited combinations.

One-click reporting. Easy report feature for consolidated analysis of mapped programs supports a wide variety of recurring and ad hoc reporting needs.

Flexible monitoring. Monitor and report on combined and individual frameworks.

Streamlined maintenance. Data replication across subcontrols in both the mapped program and standalone frameworks.

Automatic Uncoupling. If you need to remove a framework from a mapped program, the Compliance Management Platform will automatically uncouple the subcontrols, but will remain in each standalone framework.

For a seamless execution of your CMMC strategy, let SME’s robust Compliance Management Platform be your competitive advantage. To start your compliance action plan today, give me a call today at (571) 601-1496 or email at info@smeinc.net.